§ 36.06 IDENTITY THEFT PROGRAM.
   (A)   Purpose. To outline procedures for compliance with the Fair and Accurate Credit Transactions (FACT) Act of 2003, being 15 U.S.C. §§ 1681 et seq., and the Oregon Information Protection Act (OIPA) of 2007, being O.R.S. 646A.600.
   (B)   Policy. It is the policy of the city to protect personal information and comply with the FACT and the OIPA.
   (C)   Objectives.
      (1)   Safeguarding personal information. The city shall implement and maintain reasonable safeguards to protect the security and confidentiality of personal information, including its proper custody and disposal. Personal information includes an employee or customer’s name in combination with a Social Security number, state driver’s license, state identification card, passport number or other United States issued identification number, or a financial credit or debit card number along with a security or access code.
      (2)   Social Security numbers (SSN) protection. Printing SSNs on any mailed materials not requested by the employee or customer unless redacted, or on cards used to access products, services, or city buildings (such as ID cards); or publicly posting or displaying SSNs is prohibited. Exemptions include requirements by state or federal laws, such as W2s, W4s, 1099s, and the like; records for use for internal verification or administrative processes; and records used for enforcing a judgment or court order.
      (3)   Notification of security breach. In the event that personal identifying information has been subject to a security breach, the city will provide notification of the breach to the employee or customer as soon as possible in writing, electronically if that is the primary manner of communication with the employee or customer, or by telephone if the person is contacted directly. The exception is if the notification would impede a criminal investigation. The definition of a security breach, for the purposes of this policy, will be when it is known that sensitive data has been lost or out of city staff’s control.
   (D)   Procedures.
      (1)   Supervisors (City Recorder and Public Works Director) are responsible to be familiar with the FACT and OIPA and to meet with their staff to assess current compliance and document appropriate safeguard practices in writing, including elements identified in division (D)(4) below. These safeguard practices may be updated periodically to reflect changes in risks to employees and customers from identity theft. Supervisors are also responsible to include this policy in new employee orientation, including temporary employees, by documenting review of this policy and the concepts in “Identity Theft-A Business Guide,” Oregon Department of Consumer and Business Services.
      (2)   The City Recorder is responsible to establish technical controls to safeguard personal information stored in electronic format and to document safeguard practices in writing.
      (3)   Employees are responsible to comply with this policy and any internal processes as directed by their supervisors. Noncompliance may result in formal disciplinary action up to and including termination of employment. Employees should contact their supervisors if they have questions about compliance with this policy.
      (4)   Red flag means a pattern, practice, or specific activity that indicates the possible existence of identity theft.
         (a)   Identifying relevant red flags. Periodic assessments of types of accounts maintained, methods of establishing, and accessing accounts shall be conducted. Any notification or alert from a consumer reporting agency, employees, customers, law enforcement authority, or other person; or presentation of suspicious information or document shall be immediately provided to the supervisor.
         (b)   Detecting red flags. Detection may be addressed by obtaining verification of identifying information, monitoring transactions, and verifying the validity of change of address requests.
         (c)   Prevention and mitigation. Appropriate responses to detected red flags shall be commensurate with the degree of risk posed and shall include, but are not limited to, monitoring the covered account, contacting the customer, notifying law enforcement, or determining that no response is warranted.
         (d)   Updating the program. Updates may occur periodically to reflect changes in methods of identity theft, methods of detection, prevention, and mitigation of identity theft, or types of accounts maintained.
(Res. 388, passed 10-21-2008)